XSS fixes

Author: alan-nettica

ui/package-lock.json

@@ -9,6 +9,7 @@
   },
   "dependencies": {
     "axios": "^1.7.4",
+    "dompurify": "^3.2.4",
     "is-cidr": "^3.1.1",
     "moment": "^2.29.4",
     "postcss": ">=8.5.3",

ui/package.json

@@ -19,6 +19,7 @@
   import Footer from "./components/Footer";
   import TokenService from "./services/token.service";
   import ApiService from "./services/api.service";
+  import DOMPurify from 'dompurify';
   import {mapActions, mapGetters} from "vuex";
 
   export default {
@@ -64,15 +65,17 @@
 
     mounted() {
       if (this.$route && this.$route.query && this.$route.query.redirect_uri) {
-        TokenService.saveRedirect(this.$route.query.redirect_uri)
-        TokenService.destroyToken() // force a token exchange
+        if (TokenService.isValidRedirect(this.$route.query.redirect_uri)) {
+          TokenService.saveRedirect(this.$route.query.redirect_uri)
+          TokenService.destroyToken() // force a token exchange
+        }
       }
       if (this.$route && this.$route.query && this.$route.query.code && this.$route.query.state) {
         
-        let redirect = TokenService.getRedirect()
+        let redirect = DOMPurify.sanitize(TokenService.getRedirect());
         if (redirect != null && redirect != "") {
           TokenService.destroyRedirect()
-          var url = redirect + "?code=" + this.$route.query.code + "&state=" + this.$route.query.state + "&client_id=" + TokenService.getClientId();
+          var url = redirect + "?code=" + DOMPurify.sanitize(this.$route.query.code) + "&state=" + DOMPurify.sanitize(this.$route.query.state) + "&client_id=" + TokenService.getClientId();
             window.location.replace(url);
             return;
         }

ui/src/App.vue

@@ -117,6 +117,14 @@ export const destroyClientId = () => {
   window.localStorage.removeItem(CLIENT_ID_KEY);
 };
 
+const AUTHORIZED_REDIRECTS = [
+  'https://my.nettica.com'
+];
+
+export const isValidRedirect = (url) => {
+  return AUTHORIZED_REDIRECTS.includes(url);
+};
+
 export default {
   getRedirect,
   saveRedirect,
@@ -144,5 +152,6 @@ export default {
   destroyState,
   getCode,
   saveCode,
-  destroyCode
+  destroyCode,
+  isValidRedirect
 };